Project Zero lays into Symantec’s enterprise products, the botnet you’ll never find & the poor security of HTML5 video ads.

Plus your questions, our answers & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google’s Project Zero lays into Symantec’s Enterprise Endpoint Security products

• “Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand.”
• “Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.”
• “These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
• “As Symantec use the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities, including:”
• Norton Security, Norton 360, and other legacy Norton products (All Platforms)
• Symantec Endpoint Protection (All Versions, All Platforms)
• Symantec Email Security (All Platforms)
• Symantec Protection Engine (All Platforms)
• Symantec Protection for SharePoint Servers
• And so on.
• “Some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks. Symantec has published advisories for customers, available here.”
• “Many developers will be familiar with executable packers like UPX, they’re tools intended to reduce the size of executables by compressing them. This causes a problem for antivirus products because it changes how executables look.”
• Packers can be designed to obfuscate the executable, and make it harder for virus scanners to match against their signature database, or heuristically detect bad code
• “Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers.”
• “The problem with both of these solutions is that they’re hugely complicated and prone to vulnerabilities; it’s extremely challenging to make code like this safe. We recommend sandboxing and a Security Development Lifecycle, but vendors will often cut corners here. Because of this, unpackers and emulators continue to be a huge source of vulnerabilities, we’ve written about examples in Comodo, ESET, Kaspersky, Fireeye and many more.”
• “Let’s look at an example from Symantec and Norton Antivirus. This vulnerability has an unusual characteristic: Symantec runs their unpackers in the Kernel!”
• “Reviewing Symantec’s unpacker, we noticed a trivial buffer overflow when a section’s SizeOfRawData field is greater than SizeOfImage. When this happens, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer.”
• “This was enough for me to make a testcase in NASM that reliably triggered Symantec’s ASPack unpacker. Once I verified this work with a debugger, building a PE header that mismatched SizeOfImage and SizeOfRawData would reliably trigger the vulnerability.”
• “Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.”
• “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”
• There is also a buffer overflow in the Power Point decomposer (used to check for macros etc)
• There is another vulnerability in “Advanced Heuristic Protection” or “Bloodhound Heuristics” mode
• “As with all software developers, antivirus vendors have to do vulnerability management. This means monitoring for new releases of third party software used, watching published vulnerability announcements, and distributing updates.”
• “Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here.”
• “A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.”
• “Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases.”
• There is “behind” and then there is 7 years, which is pretty much “definitely didn’t bother to look at all”
• “As well as the vulnerabilities we described in detail here, we also found a collection of other stack buffer overflows, memory corruption and more.”
• Additional Coverage: Fortune.com
• Additional Coverage: Ars Technica

Botnet made up to CCTV Cameras and DVRs conducts DDoS attacks

• As we reported in TechSNAP #259 a security research found that 70 different CCTV-DVR vendors are just reselling devices from the same Chinese manufacturer, with the same firmware
• This firmware has a number of critical security flaws that the vendor was notified about, but refused to fix
• Original coverage from March
• Now criminals have exploited one or more of these known vulnerabilities to turn these devices into a large botnet
• Unlike a typical botnet made up of personal computers that are turned on and off at random, and where a user might notice sluggish performance, infected embedded devices tend to be always on, and performance issues are rarely noticed
• A botnet of over 25,000 of these CCTV systems is being used to conduct layer7 DDoS attacks against various businesses
• One of the victims, a Jewelry store, moved their site behind a WAF (Web Application Firewall), to protect it from the attack
• Unlike most attackers, instead of admitting defeat and moving on, the attacker stepped up the attack, and prolonged it for multiple days
• Most botnets lose strength the longer the attack is sustained, because infected machines are shutdown, isolated, reported, or disconnected.
• The fact that this botnet is made up of embedded CCTV devices gives it more staying power, and it is not likely to be considered the source of the problem if abuse reports do come in.

Security of HTML5 Video Ads

• For a long time many have railed against Flash, and accused it of being the root of all evil when it comes to Malvertising
• “For the last several years, Adobe Flash has been an enemy of the online community. In general, the position is well deserved: there were more than 300 vulnerabilities found in Flash Player during 2015 alone, making it the most vulnerable PC software of the year.”
• This study provides a comparison between Flash and HTM5 based advertisements
• Flash ads tend to be smaller. HTML5 ads also on average 100kb larger, using more bandwidth, which on mobile can be a big deal
• Flash ads may be more work to create, since they are not responsive, and a different file must be created for each different ad size
• HTML5 ads do not require a plugin to run, but older browsers do not support them. This is becoming less of an issue the number of aged devices dwindles
• Flash ads tend to provide better picture quality, due to sub-pixel support
• HTML5 provides better mobile support, where Flash on mobile is rare
• There is currently a larger community of Flash developers, but this is changing
• HTML5 is not controlled by a single entity like Adobe
• Flash provides better optimization
• HTML5 provides better usability and semantic support
• This study finds that killing off Adobe Flash will not solve the security problems, HTML5 has plenty of its own security issues
• “Even if Flash is prohibited, malvertising can still be inserted in the first two stages of video ad delivery.”
• “The proponents pushing for Flash to be prohibited from use in an ad creative are saying that HTML5 is the remedy that can handle security threats in the advertising industry. It stands to reason that if the ad unit itself is clean, then the user won’t have any problems. Unfortunately, this is an inaccurate statement. Malvertising attacks using video ads were already occurring in late 2015 and early 2016.”
• A typical flash malvertising campaign, the ad calls the flash externalCall interface, and runs some malicious javascript, creating a popup, that if you user accepts, may infect their computer
• In an HTML5 based attack, the malvertising campaign payload is not in the actual advertisement, but in the VAST/VPAID metadata, as the tracking url. This silently navigates the user to an Angler exploit kit, where they are infected with no required user interaction
• “the second scenario shows how the ad unit itself is not the only piece of the malvertising pie”
• “The main root of the video ad malvertising problem is, unfortunately, fundamental. VAST/VPAID standards, developed in 2012, provide extensive abilities so that ad industry players can create a rich ad experience.”
• “Since these standards allow advertisers to receive data about the user, they allow for third-party codes to be inserted inside the ad. Once a third-party code is allowed, there is an open door for bad actors to perpetrate malicious activities, i.e. insert malicious code.”
• “Now that we have debunked the idea that malvertising would be eliminated if the industry prohibited the use of Flash in their ads, let’s discuss solutions.”
• Even if malicious ads could be eliminated by better screening, malactors can compromise the ad network, and inject the malicious ads there
• In the end, maybe we need to stop allowing advertisements to have the ability to execute code
• Does anyone remember when advertisements were just animated .gif files?

Feedback:

• Jason

• Rob

• Ray –

• TheCloudisaLie

Round Up:

• Google’s giant new trans-Pacific internet cable goes online Thursday
• Vacationing Security Researcher finds skimmer in the wild
• Resold hard drives on eBay, Craigslist are often still ripe with leftover data
• Google CEO Sundar Pichais has Quota account hacked by “OurMine”
• FBI’s use of Tor exploit is like peering through “broken blinds”
• NASCAR team pays ransomware fee of $500 to recover 2 million dollar design files
• Chrome DRM bug makes it easy to download streaming video
• Java, PHP, NodeJS, and Ruby exposed to Swagger vulnerability
• Bits, Please!: QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
• Video: Lecture 13 – How to Build an Insecure System out of Perfectly Good Cryptography
• DoJ report: less than a quarter of one percent of wiretaps encounter any crypto
• Exfiltrate data from an air-gapped computer by modulating the fan speed — Fansmitter
• Microsoft to make saying no to Windows 10 update easier
• IRS kills off doomed PIN authentication method early. Authentication with your last years adjusted gross income to remain standard
• Javascript 7th edition released
• StartEncrypt had design, get a certificate for dropbox or github by faking API calls